Solved

linux curl command to login form with random token including in POST data

Posted on 2016-09-01
10
96 Views
Last Modified: 2016-09-07
Hello Expert,

I am trying to login to my bank form data to get total balance for further use. I used Firefox'Tamper data to capture POST data needed to login. When I click submit I 've got info like below.
POSTDATA=tokenId=20619099050&userName=MyUserName&password=MyPassword&cmd=authenticate&locale=en&custType=&app=0

Open in new window


You will see random auto-generate "tokenID" always including in POSTDATA.

I wish to use curl command (Centos linux)  to successfuly login but I have no idea to how to have tokenID including in the POSTDATA.

Does anyone experienced this kind of login and how to make it work?

Thank you.
0
Comment
Question by:trazodone
10 Comments
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41782030
There are lots of ways to implement tokens, so it really depends on how your bank chose to do it. Often times, financial institutions are more cautious about these things and try to actively prevent you from doing this type of thing because it is the way that malicious attacks are performed.

The basic idea is you need to download the login page first and extract the token from the page. If it's set via Javascript, you might not be able to do this programmatically. If it's just on the page, then you can use regular expressions to extract the token ID from the login page, and then use it in your next request.

Sometimes the token is in the page content, sometimes it's in the page header, sometimes it comes from a separate AJAX call, etc, etc... So you'd have to know how the token is generated before you can scrape it.

All that said, don't do this.

Again, most banks will think your attempts are a potential hacking attempt and could potentially ban your IP address, or could even trigger off automated security lockdowns on your account.

If you want to programmatically access your account, then you need to contact your bank and ask if they provide an API that you can use. The API will come with documentation that will describe exactly how you can access it and what you can do with the API. More importantly, it's designed specifically for what you're trying to do (access your account via cURL), so it won't look like a hacking attempt.
2
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 41782361
1) Correct approach would be politely asking BANK if there is official API to do the stuff you need.
2) Normally some web crawling framework like beautifulsoup from EPEL is used for such forms
3) Read (1) - there could be othr traps than random token in login form only
0
 

Author Comment

by:trazodone
ID: 41782570
Hello,

Asking information from bank can be more complicate. I would like to have something functioned like a standard web browser but command line then I can successfully login regardless what tokenID is and can have get info I'd like. I am trying Apache JMeter.
0
 
LVL 12

Expert Comment

by:William Nettmann
ID: 41782588
That token is being generated by the bank's systems to make sure that nobody can do what you are trying to do.
1
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41788002
Is there a reason you accepted #41782361 over the others? Every single expert has told you the same thing - contact your bank and ask for an API. Anything else is likely to fail or actually create new problems...
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 61

Expert Comment

by:gheist
ID: 41788390
BS4 can easily repost random tokens and pinch counter-pixel or even parse simple javascripts.
Others skipped it.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41788629
That's unfortunate. It is a -really- bad idea to try to do this without the bank's permission, even if a framework or library can assist (for now).
0
 
LVL 61

Expert Comment

by:gheist
ID: 41788635
In generic conditions one can crawl website with login that way. Ermmm never thought to do so with the bank...
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41788793
Yeah, normal crawling / web scraping isn't an issue with generic sites. Financial institutions tend to be much more sensitive to anything resembling non-standard usage (e.g. HTML pages load but not there are no requests for the images = almost always a script), and they often have terms and conditions regarding how you can legally access the site.

Plus, more and more financial institutions are implementing two-factor authentication (e.g. if the client browser isn't recognized, a code is sent via SMS to the mobile phone on file), which a script wouldn't be able to circumvent normally. However, an API would allow him consistent and safe access to the information, with much lower risk of minor changes causing his script to break.

-shrug- All that said, if the OP wants to take that chance, it's his or her risk to take.
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 41788805
Incidentally, QuickBooks Online can connect to most major banks via -their- APIs and has an available API that a normal developer could use:
https://developer.intuit.com/v2/apiexplorer
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CentOS/RHEL 7 Linux maillog worldwide readable 2 43
What .NET URL re-routing tool did I use? 2 38
Form Processing in PHP 11 32
Reset Root Password on CentOS 6 4 44
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now